Policy, Program and Procedures

 View Only

  • 1.  Scoping, Low-Risk Vendors

    Posted 05-12-2025 05:11 PM

    I am very new to vendor management and have some questions I am hoping y'all may be able to provide recommendations on.

    1. I get the thought behind scoping public utility companies out of policy. What about utilities brokers? Do you have them in scope? Or, do you exclude them since they are brokering public utilities?
    2. I have been reading that most organizations require collection of an NDA and certificate of insurance for low-risk vendors, at a minimum. I have received questions concerning gathering those for the following vendor types:
      1. A vendor that supplies equipment and does not come onsite (such as desktop and teller scanners)
      2. Office supply vendors
      3. Lawn service
      4. Coffee/water service
      5. Subscription services such as Adobe, NADA, Docusign
      6. Compliance advisory services (state associations, etc.)

    And, if you require anything additional on any of the above, I would love to learn more about that as well.

    I really appreciate your feedback!



  • 2.  RE: Scoping, Low-Risk Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 05-21-2025 08:46 AM
    This message was posted by a user wishing to remain anonymous

    I can't answer your first question about utility brokers, as we don't use those, so I don't know the impact.  

    As for #2-

    a. We do not consider vendors we purchase equipment from as vendors, unless there is an ongoing maintenance agreement. If there is a maintenance agreement, that means they will be on-site at some point, so we would require a COI.

    b. We don't consider office supply vendors within scope.

    c. We consider lawn care service as a low-risk vendor and would require COI because we want to make sure they have insurance, since they are operating on our property.

    d. Coffee/water service would be a low-risk vendor, and we would request a COI, since they will be operating on our property.

    e. Adobe- yes, NADA- not in scope for us, Docusign- yes. Our risk rating of vendors like Adobe and Docusign depends on if we host the solution or they host it. But yes, we would ask for COI from those two.

    f. Compliance advisory services- yes, in scope and we would ask for a COI. But we would also not consider them low-risk, because we are counting on their expertise to help us manage our compliance risk.




  • 3.  RE: Scoping, Low-Risk Vendors

    Posted 05-21-2025 09:31 AM

    Thank you so very much for your insights! This is very helpful!


    Original Message